launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~cjwatson/launchpad:delay-publishing-copy-archives into launchpad:master

To: mp+414974@xxxxxxxxxxxxxxxxxx
From: Colin Watson <mp+414974@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Feb 2022 16:06:25 -0000
Reply-to: mp+414974@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Colin Watson has proposed merging ~cjwatson/launchpad:delay-publishing-copy-archives into launchpad:master.

Commit message:
Delay copy archive publishing until signing keys exist

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/414974

This should be safe on production now that `cronscripts/ppa-generate-keys.py --copy-archives` is cronned, and it means that we don't end up in a situation where we publish an unsigned copy archive first and then don't realize that it needs to be republished to pick up the signing key.

I cheated slightly by overloading this on `config.personalpackagearchive.require_signing_keys`, but it doesn't seem worth the churn of adding another configuration option just for this and arranging for it to be enabled only on production.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:delay-publishing-copy-archives into launchpad:master.

diff --git a/lib/lp/archivepublisher/tests/test_publishdistro.py b/lib/lp/archivepublisher/tests/test_publishdistro.py
index fb00a9f..399d907 100644
--- a/lib/lp/archivepublisher/tests/test_publishdistro.py
+++ b/lib/lp/archivepublisher/tests/test_publishdistro.py
@@ -1,4 +1,4 @@
-# Copyright 2009-2021 Canonical Ltd.  This software is licensed under the
+# Copyright 2009-2022 Canonical Ltd.  This software is licensed under the
 # GNU Affero General Public License version 3 (see the file LICENSE).
 
 """Functional tests for publish-distro.py script."""
@@ -336,6 +336,21 @@ class TestPublishDistro(TestNativePublishingBase):
         pub_source = self.loadPubSource(pub_source_id)
         self.assertEqual(pub_source.status, PackagePublishingStatus.PUBLISHED)
 
+    def testPublishCopyArchiveWithoutSigningKey(self):
+        """publish-distro skips copy archives without signing keys."""
+        self.setUpRequireSigningKeys()
+        ubuntutest = getUtility(IDistributionSet)['ubuntutest']
+        cprov = getUtility(IPersonSet).getByName('cprov')
+        copy_archive_name = 'test-copy-publish'
+        copy_archive = getUtility(IArchiveSet).new(
+            distribution=ubuntutest, owner=cprov, name=copy_archive_name,
+            purpose=ArchivePurpose.COPY, enabled=True)
+        removeSecurityProxy(copy_archive).publish = True
+        pub_source_id = self.getPubSource(archive=copy_archive).id
+        self.runPublishDistro(['--copy-archive'])
+        pub_source = self.loadPubSource(pub_source_id)
+        self.assertEqual(PackagePublishingStatus.PENDING, pub_source.status)
+
     def testPublishCopyArchive(self):
         """Run publish-distro in copy archive mode.
 
@@ -361,6 +376,13 @@ class TestPublishDistro(TestNativePublishingBase):
         # necessary to alter the publish flag.
         removeSecurityProxy(copy_archive).publish = True
 
+        # Set up signing key.
+        self.setUpRequireSigningKeys()
+        yield self.useFixture(InProcessKeyServerFixture()).start()
+        key_path = os.path.join(gpgkeysdir, 'ppa-sample@xxxxxxxxxxxxxxxxx')
+        yield IArchiveGPGSigningKey(copy_archive).setSigningKey(
+            key_path, async_keyserver=True)
+
         # Publish something.
         pub_source_id = self.getPubSource(
             sourcename='baz', filecontent=b'baz', archive=copy_archive).id
diff --git a/lib/lp/services/config/schema-lazr.conf b/lib/lp/services/config/schema-lazr.conf
index ef17be9..84f9294 100644
--- a/lib/lp/services/config/schema-lazr.conf
+++ b/lib/lp/services/config/schema-lazr.conf
@@ -1495,8 +1495,8 @@ private_base_url: https://private-ppa.launchpad.net
 # datatype: string
 signing_keys_root: /var/tmp/ppa-signing-keys
 
-# If true, PPAs will only be published once their signing-keys have been
-# generated.
+# If true, PPAs and copy archives will only be published once their
+# signing-keys have been generated.
 # datatype: boolean
 require_signing_keys: false
 
diff --git a/lib/lp/soyuz/model/archive.py b/lib/lp/soyuz/model/archive.py
index 59312ea..2ab3a4a 100644
--- a/lib/lp/soyuz/model/archive.py
+++ b/lib/lp/soyuz/model/archive.py
@@ -1,4 +1,4 @@
-# Copyright 2009-2021 Canonical Ltd.  This software is licensed under the
+# Copyright 2009-2022 Canonical Ltd.  This software is licensed under the
 # GNU Affero General Public License version 3 (see the file LICENSE).
 
 """Database class for table Archive."""
@@ -442,11 +442,11 @@ class Archive(SQLBase):
         # The explicit publish flag must be set.
         if not self.publish:
             return False
-        # In production configurations, PPAs can only be published once
-        # their signing key has been generated.
+        # In production configurations, PPAs and copy archives can only be
+        # published once their signing key has been generated.
         return (
             not config.personalpackagearchive.require_signing_keys or
-            not self.is_ppa or
+            (not self.is_ppa and not self.is_copy) or
             self.signing_key_fingerprint is not None)
 
     @property